Navigation

Starting with Ganeti 2.2, instances can be moved between separate Ganeti
clusters using a new tool, move-instance. The tool has a number of
features:

Moving a single or multiple instances

Moving instances in parallel (--parallel option)

Renaming instance (only when moving a single instance)

SSL certificate verification for RAPI connections

The design of the inter-cluster instances moves is described in detail
in the Ganeti 2.2 design document. The instance move
tool talks to the Ganeti clusters via RAPI and can run on any machine
which can connect to the cluster’s RAPI. Despite their similar name, the
instance move tool should not be confused with the gnt-instancemove
command, which is used to move without changes (instead of export/import
plus rename) an instance within the cluster.

To prevent third parties from accessing the instance data, all data
exchanged between the clusters is signed using a secret key, the
“cluster domain secret”. It is recommended to assign the same domain
secret to all clusters of the same security domain, so that instances
can be easily moved between them. By checking the signatures, the
destination cluster can be sure the third party (e.g. this tool) didn’t
modify the received crypto keys and connection information.

To create a new, random cluster domain secret, run the following command
on the master node:

$ gnt-clusterrenew-crypto--new-cluster-domain-secret

To read and set the cluster domain secret from the contents of a file,
run the following command on the master node:

$ gnt-clusterrenew-crypto--cluster-domain-secret=/.../ganeti.cds

More information about the renew-crypto command can be found in
gnt-cluster(8).

Multiple instances can be moved with one invocation of the instance move
tool, though a few options are only available when moving a single
instance.

The most important options are listed below. Unless specified otherwise,
destination-related options default to the source value (e.g. setting
--src-rapi-port=1234 will make --dest-rapi-port‘s default 1234).

--src-rapi-port/--dest-rapi-port

RAPI server TCP port, defaults to 5080.

--src-ca-file/--dest-ca-file

Path to file containing source cluster Certificate Authority (CA) in
PEM format. For self-signed certificates, this is the certificate
itself (see more details below in
Certificates). For certificates signed by a third
party CA, the complete chain must be in the file (see documentation
for SSL_CTX_load_verify_locations(3)).